CVE-2026-25588
HIGHRedisTimeSeries RESTORE invalid memory access may allow remote code execution
Title source: cnaDescription
RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This has been patched in version 1.12.14.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/RedisTimeSeries/RedisTimeSeries/security/advisories/GHSA-7jwr-g5qv-w3gw
X_Refsource_Misc x_refsource_misc
https://github.com/RedisTimeSeries/RedisTimeSeries/releases/tag/v1.12.14
Scores
CVSS v3
8.8
EPSS
0.0047
EPSS Percentile
36.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-122
Status
published
Products (2)
redistimeseries/redistimeseries
< 1.12.14
RedisTimeSeries/RedisTimeSeries
< 1.12.14
Published
May 05, 2026
Tracked Since
May 05, 2026